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Abstract 

In this work we provide a suite of protocols for group key management 
based on general semigroup actions. Construction of the key is made in 
a distributed and collaborative way. Examples are provided that may in 
some cases enhance the security level and communication overheads of 
previous existing protocols. Security against passive attacks is considered 
and depends on the hardness of the semigroup action problem in any 
particular scenario. 
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1 Introduction 

Traditional cryptographic tools for key exchange may not be useful when the 
communication process is carried out in a group of nodes or users. There exist 
several approaches for group key management, which may be divided into three 
main classes [T2] : 

• centralized protocols, where a single entity is in charge of controlling the 
whole group, minimizing storage requirements, computational power on 
both the client and server side and communication overheads, 

• decentralized , where a large group is divided into subgroups in order to 
avoid concentrating the workload in a single point, 

• distributed , where key generation is carried out in a distributed and col¬ 
laborative way. 
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This last class of approaches has become particularly important since the emer¬ 
gence of ad hoc networks, where a set of nodes, possibly consisting of light and 
mobile devices, create, operate and manage a network, which is therefore solely 
dependent on the cooperative and trusting nature of the nodes. Moreover the 
limited capacity of the involved devices imposes both key storage and computa¬ 
tional requirements. Such a network is commonly created to meet an immedi¬ 
ate demand and specific goal, and nodes are continuously joining or leaving it. 
Thus, group key management based on distributed and collaborative schemes 
has proved to be of great interest (cf. for instance [T7] and its references). 

One of the most cited approaches in the distributed setting is due to Steiner 
et al. in m and m- In these works the authors provide two different group 
key management schemes that extend the traditional Diffie-Hellman key ex¬ 
change [4] and feature very efficient rekeying procedures. 

In Ej, the authors generalize the aforementioned classical Diffie-Hellman key 
exchange to arbitrary group actions: 

Protocol 1 (Semigroup Diffie-Hellman Key Exchange). Let S' be a finite set, 
G an abelian semigroup, and $ : G x S —> S a G-action on S. The semigroup 
Diffie-Hellman key exchange in (G, S, 4>) is the following protocol: 

1. Alice and Bob publicly agree on an element s £ S. 

2. Alice chooses a £ G and computes <f>(a, s). Alice’s private key is a, her 
public key is $(< 2 , s). 

3. Bob chooses b £ G and computes $(6, s). Bob’s private key is b, his public 
key is $(&, s). 

4. Their common secret key is then 

4>(a, $(&, s)) = 4>(a&, s) = 4>(&a, s ) = $(&, 4>(a, s )). 

In the original Diffie-Hellman proposal, if an adversary is able to solve the 
so-called Discrete Logarithm Problem (DLP), then she is able to break the 
Diffie-Hellman key exchange. In this setting we can analogously consider the 
following more general problem: 

Problem 1 (Semigroup Action Problem, SAP). Given a semigroup G acting 
on a set S and elements x,y £ S, find g £ G such that 4 '(g,x) = y. 

It is clear that if an adversary, Eve, finds a g £ G such that <I>(< 7 , s) = 4>(a, s), 
then she can find the shared secret by computing 4>(g, 4>(6, s)) = ${gb, s) = 
$(6g,s) = 4>(6,4>(a,s)). 

We can say that the security of the preceding protocol is equivalent to the 
following problem. 

Problem 2 (Diffie-Hellman Semigroup Action Problem, DHSAP). Given a 
finite abelian semigroup G acting on a finite set S and elements x,y,z £ S with 
y = 4>(g, x) and z = 4>(/i, x) for some g,h £ G, find 4>(gh, x). 
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Although, as noted above, solving the SAP implies solving the DHSAP, 
we do not know if both problems are (in general) equivalent, just like in the 
traditional setting of Diffie-Hellman, where however some equivalence results 
for particular scenarios are known [5]. 

Motivated by the above, our idea is now to define extensions of the semigroup 
Diffie-Hellman key exchange protocol to n users, by first generalizing those in¬ 
troduced in [13] and |T5j, and then considering other settings, which can feature 
more favorable characteristics compared to the original protocol. Since the ca¬ 
pability of devices is often limited and authentication processes may be difficult 
to implement in a distributed network, we focus our attention on confidentiality 
under passive attacks. As in [8], some non-standard settings are introduced as 
more general examples, although the hardness of the SAP there may not be 
proven yet, so the security of the protocols in those cases is conditional on that. 

The structure of the paper is as follows. In Section 2 we consider a suite of 
three protocols for group key management based on one-sided actions. While 
these naturally extend the results of [H] and HE we consider different settings 
for a general semigroup action. Section 3 considers the security of the preced¬ 
ing protocols against passive attacks, including forward and backward secrecy. 
Finally, in Section 4, we introduce two protocols based on linear actions, i.e. 
semigroup actions on other groups satisfying a certain distributivity property. 
We give two different group key protocols in this setting, one of which runs very 
efficiently in only two rounds, independently of the number of members in the 
communicating group. 

Throughout this paper we will consider a group of n users, U\,,U ni who 
would like to share a secret element of a finite set S, and G will denote a finite 
abelian semigroup acting on S. 


2 Group key communication based on one-sided 
actions 

In this section we consider three different extensions of the semigroup Diffie- 
Hellman key exchange with different computing requirements and communi¬ 
cation overheads, but with possible applications in different cases. They are 
natural extensions of m and he For completeness we report proofs in ap¬ 
pendix to show soundness of the schemes. 

2.1 A sequential key agreement 

The first approach to extend the key exchange protocol consists of a sequence 
of messages, built using pieces of private information, along a chain of users and 
an analogous second sequence of messages in the opposite way. Therefore every 
user will send and receive two messages except for the user that initiates the 
communication and the last user receiving the sequence of messages. 

The protocol is defined by the following steps. 
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Protocol 2 (GSAP-1). Users agree on an element s in a finite set S. a finite 
abelian semigroup G, and a G-action on S given by <f>. For every i = 1,..., n, 
the user U % holds a private element gi £ G. 

1. For i = 1,... ,n — 1, user U t sends to user G,+i the message 

i 

{Gi,...,GJ = | $(3 1; s), $(525 i, }• 

i=i 


2. User U n computes &(g n , G„_i). 

3. For k = n,..., 2, user Uk sends to user Uk-i the message {/-f,..., /£_i}, 

where /j 1 = for 2 < k < n - 1 and /” = $(g„,Gj_i), j = 

1 ,..., n — 1 , with Go = s. 

4. User Uk computes &{gk, fk +1 )- 

2.2 A key agreement in broadcast 

The following protocol presents a lower communication overhead than GSAP-1. 
The idea is again to get a first sequence of messages from user U\ to user U n , 
but now U n will broadcast a message that allows the rest of the users to recover 
the common key. 

Protocol 3 (GSAP-2). Users agree on an element s in a finite set S', a finite 
abelian semigroup G, and a G-action $ on S. For every i = 1 ,,n, the user 
Ui holds a private element gi £ G. 

1. For i = 1,... ,n— 1, user U, sends to user U i+ 1 the message 

fii s~ii \ 

\°i-l , 

where Gg = s, C\ = 3>(<7i,s), and for i > 2, C{ = ®{gi,ClZ%), Gj = 
C} ll) (with j = 2,...., i). 

2. User U n computes <&(g n ,C™Zf). 

3. User U n broadcasts {/?,..., f„-i, /«}, where /f = ®(g n , C%Zl„i) for 
i = 1, • • •, n - 2, /?_! = $(<?„, G^I 2 2 ) and /£ = G^ 1 . 

4. User Gj computes $(<?*,/"). 

Remark 2.1. It can be observed that the element /" contained in the broadcast 
message in step 3 of Protocol GSAP-2, is not needed by any of the users U t , 
i = 1,... , n — 1 to recover the shared key. However, the distribution of this 
value is required for future rekeying operations, as we will later show. 
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2.3 Examples 

a) The two previous protocols are extensions of those introduced in m and 
m for the action of the multiplicative semigroup N* on a cyclic group S of 
order q generated by g , given by <fr(y,g x ) = (g x ) v ■ It was pointed out that 
the first protocol presents excessive communication overheads mainly due to 
both the number of rounds and messages to be sent. Because of this, only the 
second one, referred to as IKA.l in m , was recommended. However, the first 
protocol could be interesting on its own when applied to a sensor network whose 
communications need to be secure and where it should be assessed whether 
every node is working properly. After user U n receives the message in step 1, 
the absence of any of the messages (excepting the last one) in the descending 
chain of rounds would alert that the corresponding sender node is not working 
or the communication was interrupted. 

b) In particular, consider a finite field GF(q) and an element g of prime order. 
The semigroup N* acts on the subgroup (g) C GF(q)* by <&(y,g x ) = ( g x ) y for 
x, y G N*. 

c) Let e be the set of points in an elliptic curve. Then the action <E>: N* x £ 4 
e given by <f>(n, P) = nP for every n £ N* and every P £ e provides the 
corresponding versions of the preceding protocols for elliptic curves. In El an 
implementation of the second protocol can be found. 

d) In [SJ Example 5.13] the authors illustrate the use of a semiring of order 6 to 
construct an example of a practical SAP. This was later cryptanalyzed in m 
due not to a general attack, but rather to the structure of this ring. However, 
we can use the semiring of order 20 given in jSJ Example 5.8] to analogously 
define another SAP and its cryptanalysis is still an open question. This shows 
an example where SAP does not coincide with a traditional DLP on a semigroup 
and it is applicable to both preceding protocols. 

e) In m Protocol 80] the author defines a key exchange protocol whose security 

is based on the SAP derived from the following semigroup action: let S' be a 
semiring, T a finitely generated additive subsemigroup of S and let End+(T) 
be its (additive) endomorphisms semigroup. Then the semigroup action that 
defines the security of this protocol is given by <t> : ( S,T op ) x End+(T) —x 
End+(T), i X (x>-xs*/(x)*t). 

Remark 2.2. Many examples of semigroup actions suitable to defining a Diffie- 
Hellman type key exchange protocol can be found in [7]. The corresponding SAP 
is shown to be computationally equivalent to a DLP for some of them. 

2.4 A key agreement given by a group action 

The existence of inverses in the semigroup G acting on the set S can provide a 
way to agree on a common key with reduced communication overheads. More¬ 
over, computations can be made more equally distributed among the users. We 
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remark that in the protocols given in the two previous sections, these require¬ 
ments are higher the further away the user is from the one that initialized the 
protocol. 

Thus we assume that G is a group. The protocol is given by the following 
steps. 

Protocol 4 (GSAP-3). Users agree on an element Co = s in a finite set S , a 
finite abelian group G, and a G-action $ on S. For every i = 1,..., n, the user 
Ui holds a private element gi £ G. 


1. For i = 1, ...,n — 2, user Ui sends to user U + i the message Ci = 

$(gi,Ci- 1 ). 

2. User U n -1 computes C n _i = $(g n - 1 , G n _ 2 ) and broadcasts it to the other 
USerS {ZVi, . . . 

3. User U n computes the element $(g n ,C n - 1 ). 

4. For i = 1,... ,n — 1, user U t computes Di = §(g~ , G n _i) and sends it to 
user U n . 

5. For i = 1, ...,n — 1, user U n computes $(g n ,Di) and sends to users 
{U\ the set of values {§(g n ,Di),.. ,,$(g n ,D n _ i),G n _i}. 

6. For i = 1,..., n — 1, user U, computes $( g n , Di)). 


After protocol GSAP-3, the users U\,...,U n share a common key given 

n 

by s^. This follows easily from the commutativity of G and the fact 


i=l 


that for every gt,gj £ G, i,j = 1 and s £ S, we get that &(gigj,s) = 


Remark 2.3. As in Protocol GSAP-2, we also point out that the element C n - 1 , 
which is broadcast by U n in step 5 of Protocol GSAP-3, is needed only for future 
rekeying purposes. 


Remark 2.4. Using the action &(y,g x ) = ( g x ) v for x,y £ Z*, with g a gen¬ 
erator of a cyclic group S of order q , we get the third protocol introduced in 
M and H3 and referred to as IKA.2 in CLIQUES m In this case, user Ui 
sends to user U n the message gDj=i,j^i x 3 , which is computed with the element 
x~ Y mod q, given that the Xi's are selected either to be coprime with q or, as 
the authors suggest, q is chosen to be a prime. 

An elliptic curve version is clearly also feasible. An implementation in this 
sense can be found in m- 
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3 Security of the key agreements and rekeying 
operations 

In [S] it was pointed out that if an adversary is able to solve the SAP, then she 
will be able to break the two party Diffie-Hellman key exchange, i.e. solve the 
DHSAP. It is easy to observe that being able to solve the DHSAP allows getting 
the shared key in all the protocols proposed above. 

Proposition 3.1. If an adversary is able to solve the DHSAPthen she can get 
the shared key in GSAP-1, GSAP-2 and GSAP-3. 

Proof. This follows from the fact that the adversary can access the pair of values 
. (C.Jf) = ($( 5 i, a ),$(nr = 2 ft,a)) in GSAP-1; 

• (cim = ($( 5 i, a ),$(nr=2ffi.«)) in gsap-2 ; 

• (Ci,$(g n ,Di)) = ($(ffi,s),$(n"=2 &•>«)) in GSAP-3. 

□ 

The preceding result shows, as could be expected, that the multiparty key 
exchange protocols do not enhance the security that the corresponding two- 
party protocol offers. However, as in [14] and na. it is possible to show that 
increasing the number of messages does not produce any information leakage 
whenever the corresponding key exchange based on the SAP for two communi¬ 
cating parties is secure. Here we are referring to security against passive attacks; 
a totally different picture would arise if we assume that the attacker can control 
communications from and to one or more particular users, see e.g. [13i . 

Let X = {< 7 i,... ,g n } be a set of elements of the semigroup G, s an element 
of a set S and $ a G-action on S. Let us define the (ordered) set of elements of 
S 


Vg(s,n,X) = {$( gj,s^ : {ii,...,i m } C {l,...,n}j 
j=ii 

and the value K§ ( s , n, X) = $ ^ TIj -i 9ji G S'- 

We point out that the messages that any adversary observes in any of the 
protocols is a subset of V^(s,n,X), and the key that the users agree on is 
precisely 7\^(s,n,A). Let us assume now that $ is a transitive action, i.e., 
for every pair of elements s, s' € S there always exists a g £ G such that 
<f>(g, s) = s'. Thus if s € S is a public element, given any two elements in 
S, s i, S 2 , there always exist gi,g 2 € G such that 4>(gi,s) = .s, , i = 1,2. Let 
s 3 = 4>(gi, $(g 2 , s)) = s). If, given s, s\ and s 2 , it is not feasible 

to distinguish S 3 from a random value in polynomial time, then an induction 
argument like that given in [15] Theorem 1] allows us to show the following 
result. 
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Theorem 3.2. Let $ be a transitive G-action on S. Then the group key that 
users derive as a result of any of the protocols GSAP-1, GSAP-2 and GSAP-3 
is indistinguishable in polynomial time from a random value, given only the 
values exchanged between users during the protocol , whenever the corresponding 
Diffie-Hellman protocol induced by $ for two users satisfies this property. 

Another important issue in any group key management is rekeying after 
the initial key agreement. There exist three different situations that require a 
rekeying operation. The first is simply due to key caducity and the group of 
users remains the same. In the other two cases, we may find a new user that 
wishes to join the group or a user who leaves the group. In both situations it is 
required that the new (resp. former) user cannot access the former (resp. new) 
distributed key. In the following lines we describe the procedures as well as their 
security. 

Let us start by considering the protocol GSAP-1 described in Section ETT1 
In this case, we could simply require that a new initial key agreement is needed. 
However, we may shorten the rekeying process, keeping somehow the spirit 
of the protocol. If rekeying is due to key caducity, then user U n chooses a 
new private element g' n € G and defines a new sequence /" = <f>(g' n g n ,Cj-i), 
j = 1,..., n — 1, with Co = s, as is done in step 3 of GSAP-1. The rest of the 
users also proceed as in step 3 and recover (using their private keys as described 

in GSAP-1) the new key <$>(g' n n” = i 9j, s) • 

In case some user, say Ui , leaves the group, then the corresponding value /” 
is omitted in the new message made by lA n . 

Finally, in case a user U n+ 1 joins the group, then user U n chooses a new 
element g' n and sends the message 

n 

{ ®(g'n 9 i,s), <l>(j/ n g29i , s),..., <1> (g' n g 3 , s) j 

j =i 

to user U n+ i. Then this user starts step 3 of GSAP-1. 

Security of all new subsequent key distributions follows from Theorem 13.21 

In the case of protocols GSAP-2 and GSAP-3, described in Sections [2.21 and 
12.41 respectively, we may use the information that every user holds after the 
initial key agreement to rekey very efficiently as is suggested in m • In this 
case, given that every user remembers the same information, say 

n n n n— 1 

r—2 r=l;r^2 r=l ;r^c r— 1 

the rekeying process may be carried out by any one of them. Let us call this user 
U c . If rekeying is due to key caducity, then he chooses a new g' c £ G, changes 
his private key to g' c g c and sends the following rekeying message: 
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n n n n —1 

n n w,«),■•■,$(3cn 3r ’ s )}- 

r= 2 r=l;r^2 i"=l;r^c r=l 

Then every user, using his private information, recovers the new common 

n 

key given by $ (#'JJfly, s). 

r=l 

In case some user leaves the group, the corresponding position in the rekeying 
message is omitted. If a new user joins the group, then IA C adds the element 

n 

$(<?' £J< 7 r , and sends the following to the new user U n+ 1 : 

r =1 

n n n —1 n 

r=2 r=l;r^c r—1 r= 1 

This user proceeds (in both protocols GSAP-2 and GSAP-3) to step 5 of protocol 
GSAP-3. 

Again, security in every case is a consequence of Theorem 13.21 


4 Secure group communication based on linear 
actions 

As can be observed in the protocols given in the previous section, user U n plays 
a central role, and in two of them, every user is required to do a different num¬ 
ber of computations and store a different number of values, depending on his 
proximity to Li n . The aim of this section is twofold. On one hand, we give a 
similar approach to that of GSAP-3 in order to get a protocol with the same 
advantages that is applicable in situations where the semigroup G acting on S 
does not contain inverses. On the other hand, we give a new approach based 
on linear actions that in some cases not only significantly decreases communi¬ 
cation overheads, but also reduces the number of rounds to just 2 , which will 
significantly enhance the efficiency. 

We say that, given G and S semigroups, an action $:GxS->S defined 
by s) = g ■ s is linear in case d>(g, ss') = d>(g, s)$(g, s'). 

The following protocol is a modification of GSAP-3 for a linear G-action $ 
on S 1 but instead of requiring G to be a group, we require this of S. We get 
a similar protocol that is also an extension of Diffie-Hellman to the multiparty 
case. 

Protocol 5 (GSAP-3’). Users agree on an element s in a finite group S, a finite 
abelian semigroup G, and a linear G-action $ on S. For every i = 1,..., n, the 
user Ui holds a private element gi G G. 
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1. For i = — 2, user Ui sends to user U l+ \ the message C, = 

&{9i,Ci- 1 ). 

2. User U n -\ computes C n -\ = <&(g n -i,C n - 2 ) and broadcasts it to the other 
users \U \,... jU n — 2 ^U n y. 

3. User U n computes the element <&(g n ,C n -\). 

4. For i = 1,..., n — 1, user Ui computes Di = s) _ 1 C„_i and sends it 

to user U n . 

5. For i = 1, ...,n — 1, user U n computes <fr(g n ,Di) and sends to users 

{Uu ■ ■ ■ the set of values {<S>{g n ,D{),... ,<5>{g n ,D n -{), 

$(g n ,D n )} and his public key $(g n ,s), where D n = $(g n , 

6 . For i = 1,... ,n — 1, user Ui computes $(gi, 4>(g„, s))$(g n , Di). 

Theorem 4.1. After protocol GSAP-3’, the users Ui,... ,U n share a common 

n 

key given by s) ■ 

2=1 

Proof. This follows from the linearity of the action <h. $(^ n , s))3>(g n5 Di) = 

$(Mn> s)$(St., $(s», s) _ 1 $( n"=i fin s)) = $(]lr=i 9r, s ), since 4>(ffi,e) = e, 
e being the neutral element in S, and < F(gi,s ) _1 = <E>(< 7 ,, s^ 1 ), again by the 
linearity of the action. □ 

Example 1. a) Given again a cyclic group S of order q generated by g, the 
action $ : N* x S —> S defined by $(?/, g x ) = ( g°°) y is clearly linear, so the above 
argument applies. Di assumes the form g^ i=1 Xj g~ Xi . 

b) If £ is the group of points of an elliptic curve, then e is a Z-module via 
the linear action 4>(/c, P) = kP for every k G Z and P G e. Di assumes the form 

(n tP:)p-kiP- 

c) Let us introduce an example where the preceding protocols can be run 
over a module structure. Let us recall from [2j the following ring: 

= {[<%] € Mat mX m(Z) | a,ij G l p i if i < j, and G p l ~ 3 Z pi if i > j) , 

with addition and multiplication defined, respectively, as follows 


\u-ij ] + \bij ] [(j bij) mod p j, 


\pij] ~ 


) m °dp l 


L \k= 1 


Here Mat mxm(^) denotes the set of m x m matrices with entries in Z, and 
p r Z p s denotes the set {p r u \ u G {0,... ,p s — 1}} C Z for positive integers r 
and s. This ring is clearly non-commutative and its product defines an action of 
the multiplicative semigroup Ep m ' > on the set Z p x Z p 2 x • • • x Z p m. However, to 
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ensure that the key exchange works, we need that the elements in the semigroup 
commute. In this non-commutative setting, this may be achieved by considering 

r 

that the selected elements in the semigroup Ep' 71 ' 1 are of the form such 

i=0 

that for every i = 0,..., r, G» is in the center Z of and M £ E^ is a 
public element such that its set of powers is large enough. In other words, if we 
denote the set of elements of this form by Z[M], then we are using for G the 
multiplicative subsemigroup Z[M] of Ep m \ 

From |3J Theorem 2] we can deduce conditions on the public information 
that will be sent in order to prevent an attacker from solving the SAP in the 
subsemigroup of Z[M] given by the center Z of the ring, with cardinality p m 
(cf. [2]). Thus if M has high order, i.e. M is such that the least integer n 
satisfying M k+n = M k for every sufficiently large k is high, we will obtain that 
Z[M] is big enough. 

Note that our aim in this paper is not to prove the hardness of the SAP 
for this particular example, but rather to present protocols which rely on the 
hardness of the SAP in a particular scenario once it has been established there. 
The non-commutative scenario in particular may present hidden vulnerabilities, 
as was shown in recent cryptanalyses, e.g. Eli, although these seem not to 
directly apply in this setting. For example [5] introduces a cryptanalysis for 
the case of two users when the ring Ep 777 ' 1 acts on itself, which can be countered 
by choosing p and m appropriately in order to avoid the existence of inverses 
[ 2 ] - In the case of [ 1 ], the cryptanalysis requires building a system of equations, 
which does not seem to be straightforward in this new setting of Z[M\. In 
[7, Proposition 3.9] it is asserted that if the commutative semigroup has a big 
number of invertible elements, then it is possible to develop a square root attack 
to the SAP. Again we point out that Ep m ' > could be chosen in order to avoid 
this attack. 

n —1 

Given that both $ s) and <b(g n , s ) are public we immediately get the 

i= 1 

following. 

Proposition 4.2. If an adversary is able to solve the DHSAP, then she can get 
the shared key in GSAP-3’. 

Let us recall from [ 8 ] that given any G-action $ on S, we can easily define 
an ElGamal type of public key cryptosystem. We define the following ElGamal 
type of protocol. 

1. Alice and Bob publicly agree on an element s £ S. 

2. Bob chooses b £ G and computes $(6, s ). Bob’s private key is &, his public 
key is <h(&, s). 

3. If Alice wants to send the message m £ S to Bob, then she gets Bob’s 
public key $(&, s). 
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4. Alice chooses randomly a € G and computes 4>(a, s) and 4>(a, $( 6 , s)). 

5. Alice sends to Bob the pair ( c,d) = ($(a, s), m$(a, 4>(6, s)). 

6 . Bob recovers m = d$(b, c ) -1 = m.$(a, 4>(6, s))4>(6, $(a, s)) _1 , given that 
5 has a group structure. 

It can be easily observed that solving the DHSAP is equivalent to breaking 
the preceding algorithm: if given the public information 

(s, $(a, s), 4>(&, s), m4>(a6, s)) 

one is able to get to, then the input (s, $(a, s), 4>(6, s), e), for e G S' the neutral 
element, produces 4>(a6, s) -1 , which solves the DHSAP. Conversely, given Bob’s 
public key $( 6 , s) and the pair ($(a, s), m$(a, 4>(6, s))), one can use 4>(a6, s) 
from the DHSAP to recover to. 

Now using the above we are able to show the security of GSAP-3’. 

Theorem 4.3. The group key that users derive as a result of GSAP-3’ is indis¬ 
tinguishable in polynomial time from a random value whenever the corresponding 
Diffie-Hellman protocol induced by <f> for two users also satisfies this property. 

n— 1 

Proof. Given that both C n -1 = and = ®(9h s)~ 1 C n -\ are pub- 

2=1 

lie, an adversary is able to get all the public values 4? (< 7 *, s), i = 1,..., n. Now 
user U n sends the message {&(g n: jointly with $(g n , s), in other words, 

due to linearity of <f>, user U n sends a “a family of pairs”, i = 1 ,..., n, 

n— 1 

($ {9n, s ), 4>( g n , 4>(g,i, s)~ 1 )4>, 4>( gj , s))), 

3 =1 

which can be seen as a set of ElGamal encryptions of the message 

n n— 1 

2— 1 2=1 

using the public keys s), i = 1,..., n. Alternatively, one can consider the 
pairs 


n— 1 

($(5i, S), $(Sn, $(&, S ))) ’ 

which can also be seen, given the commutativity in G, as a set of ElGamal 
encryptions of the message 

n n —1 

2=1 2=1 
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using the public key &(g n , s ~ x ), and the +s as random numbers, for i = 1 ,..., n. 

Thus, as we pointed out above, given the equivalence of the security of the 
ElGamal type of public key cryptosystem and the DHSAP, the result follows. □ 

The rekeying process in this setting is analogous to that described in Section 
[3] for protocols GSAP-2 and GSAP-3. 

We first note that every user remembers the following keying information. 

Ah), • • • > D n )} 

In case of key caducity, user U c for some c = 1 ,,n chooses a new element 

n 

g' c G G, computes a new key given by and his keying information 

2=1 

n 

$((Sc) 2 S C 5n> S )~ 1$ (.9c and broadcasts the following message 

2=1 


n 

{$( 9c, $(Sn, Di)), ..., $((5c) 2 5c5n, s)), ■ • •, 


2=1 


$(<+ $(s„, £>„_ i)), $(<?', $(<7n, A»))}> 


jointly with the value $(g', $( 5 „, s)). User U c changes his private information 
to g c g' c . 

In case rekeying is due to some user leaving the group, then the corresponding 
value is omitted in the above message. 

Finally, let us assume that U n +i joins the group. The process corresponds in 
this case to something similar to a “double rekeying” as above. First, U c sends 
to U n -)-i 


n 

{$(+ ®(9n, A>l)), • ■ • , $(( g’cfgcgn , S )) > • • ■ > 

2=1 

n 

$(Sc> $ (3n, Al-l)), ^(g'c , £>n ) ) , $ (si, $ (ll 9i ’ S ) ) } 

i=l 

jointly with the value <£((/', <&( g n , s)). Then, U n+ \ broadcasts a rekeying message 
given by 

n+1 

{®(g n +ig'c,®(9n,D 1 )),.. . ,$(g„ + i(3') 2 ff c ff„,s) _1 'I>^',$(j]g J ,s^,... , 

2=1 

$( gn+ig'c , $(sn, Dn-l)), ®{9n+l9c, $(#«, Ai))> 

n+1 

2=1 
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jointly with the value &(g n +ig' c g n , s). 

Security of these processes is shown with a similar argument as in Theo¬ 
rem 231 

A more symmetrical use of linear actions is the following protocol, which 
decreases the number of rounds to just 2, but which is only applicable in some 
cases. 

Protocol 6 (GSAP-4). Users agree on an element s in a finite abelian semigroup 
S , a finite abelian semigroup G, and a linear G-action $ on S. For every 
i = 1,..., n, the user U, holds a private element gi £ G. 

1. For every i = 1,... , n, user Ui makes public , s) = gi ■ s. 

2. For some j = 1,... ,n, user Uj computes and makes public 

A = $(3 r ,s)), i^j, i = l,...,n. 


3. For every i = 1,..., n, i ^ j, user Ui computes Di$(gi, <F(^, s)). User U 3 
computes <S>(g 3 , ([L/., $(Sr, s)). 


Theorem 4.4. After protocol GSAP-4, the users U\,... ,U n share a common 
key given by ®(g 3 ,Tl r ^j $(SV, s)). 

Proof. For every i = 1,..., n, i ^ j, 




yA 

eT 

ii 

’ n rjtj, 

* $( 9r 

,s))®(gi,®(gj, 

s)) 

= ®{9j 

’ n r^j, 

* ®(9r 

,«))$(&&>«) 


= 

’ n rjtj, 

i®(9r 

,s))$(9j9i,s) 


= ®{9j 

’ n rjtj, 

i ®(9r 

,s))<S>(gj,<S>(gi, 

«)) 

' o? 

eT 

II 


®(9r,- 

s ))- 



□ 


Example 2. a) Let us consider again a cyclic group S of order q generated by 
g , with the action $ : N* x S' —> S given by 4>(i j,g x ) = ( g x ) v . Then GSAP-4 
implies sharing a key of the form K = g kj A=i,r & An adversary can access 
the messages 


A = $( 9j , <F( 5 r,s)), i^j, i = l,...,n, 

from which she can compute n”=i,r# A = K n ~ 2 ■ In the case where the 
order q of S is known, the adversary can now recover the key K from K n ~ 2 by 
inverting n — 2 modulo q. This is in particular the case where S’ is a subgroup of 
a finite field, or where it is the group of points of an elliptic curve. However, we 
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can avoid this weakness by adding some authentication information as is done 

IH- 

li) Let m = pq with p and q two large primes and let G = ^( p _i)( 9 —i) ■ Then 
the action $ : G x Z m —> Z m given by $( 2 ,( 7 ) = g x mod to shows an example 
where the above attack cannot be developed unless the adversary is able to 
factorize to. The shared key in this case is of the form g Xj Xi mod to. 

c) We recall that a semiring R is a semigroup with respect to both addition 
and multiplication and the distributive laws hold. It is also understood that a 
semiring is commutative with respect to addition and the existence of neutral 
elements is not required, although some authors do require it. Then given a 
semiring R, a left R-semimodule M is an abelian semigroup with an action 
M, d>(r, to) = rm , satisfying r(sm) = ( rs)m , (r + s)?n = rm + sm 
and r(m + n) = rm + rn for all r, s £ R and m,n £ M . Thus, based on the 
previous two examples, we can assert in general that any semimodule S over a 
semiring R fits with GSAP-4 and the shared key is of the form rjtj kr) $ 

for ki £ R, i = 1,..., n private and s £ S public. 

Remark 4.5. Due to the attack shown in example a), the hardness of the 
Diffie-Hellman problem is not enough to show security in this case. We leave it 
as an open question whether the hardness of factoring would be enough to do 
so. 


Remark 4.6. We can also give protocols based on two-sided actions. To this 
end we recall that given a semiring S, right S'-semimodules are defined dually 
to left ones. Then, given two semirings R and S , an (R, 5)-bisemimodule M is 
both a left i?-semimodule and a right 5-semimodule such that ( rm)s = r(ms) 
for every r £ R, m £ M and s £ S. 

Now we are able to provide key exchange protocols similar to those given in 
the previous sections based on two-sided linear actions over a (I?, 5)-bisemimodule 
M. In the case of GSAP-3’, since we need the existence of inverses with respect 
to addition in M, we may suppose that M has an (R, 5)-bimodule structure for 
some rings R and 5. 


5 Appendix GSAP1 

Theorem 5.1. After protocol GSAP-1, users U[.... ,U n agree on the common 
key *(n;=iSi,s)- 

Proof. User U n computes 

n—1 n 

<$>(g n ,C n - 1 ) = Sfos)) = n^” 8 )- 

3 =1 3 =1 

Let us show now that the rest of the users recover exactly the same key. For 
k = 1 ,..., n — 1, user Uk computes $(( 7 fc, f£ +1 )- 
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It is straightforward to show that for every i = 1,..., n— 2, j = 1,.. ., n—i—1, 
the following equality holds: 

n j — 1 

/;-• = *(( II 9r)(n4')i 

r=n—i r =1 

with the empty product being equal to 1. 

We then have: 


= ^(n"= fe+1 3,)(n r t 1 1 w)^) 

= ^(n”=l;r#fc5r,s)- 


Thus, user Uk computes 

*Gfc./k +1 ) = *($*>*( 

as we wanted to show. 


n g r ,sjj = n^ s )’ 

r=l;r^k r—1 


□ 


6 Appendix GSAP2 


Theorem 6 . 1 . After protocol GSAP-2, users U\,... ,U n agree on a common 

n 

key given by . 

r —1 

n— 1 n 

Proof. User U n computes $(g„, C'”I 1 1 ) = <&(g n , = $ (riA’ s )‘ 

( n \ r= 1 

If 9ii s) for i = 1 ,..., n. 

r=l;rj£i i+s 

To do so, we will prove that C* +s = $( g r ,s ) for 

and * = 1 ,,;« ., n — s — 1 . r=i-,rjti 

Let us make induction on s. For s = 1, we get by definition that C[ +1 = 

j 

9>(g i+ i, C-Zi )■ Now it is clear that Cj = s) for every j = 1,... ,n — 1. 

r= 1 

Therefore 


r— 1 


s = 1 ,..., n — 2 


Ci +1 




2—1 

OM) = K 


n 


r=l;r ^2 



2 +s—1 

Suppose now that = <I>^ ff g r , sj. Then, by definition, 

r=l;r ^2 
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i-\-s —1 i+s 

c: +s = <$>{g i+s , Citl- 1 ) = $(.%+„$( n g r , s)) = $( n g r ,s). 

r=l\r^i r=l;r^i 

i+(n—l—i) n —1 

ThusC^I 1 1 _ i = C;t n 1 li" i =*( n 9r,s)=*( n 9r,s). 

r=l\r^i r=l;r^2 

Therefore 

n—1 n 

/f = $(<?n,$( n 5r,s))=$( n g r ,sj, 

r—l-,r^i r=l\r^i 

n n 

and so user U % computes $( 50 /") = Sh,s)) = $ (H 5 ' r,s )’ as 

we wanted to show. r—i -,r^i r=i □ 
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